fff-network: Add comments to set sysctls

To make it clear why the set sysctls are necessary, add appropriate comments to them. Also reorder them for improved readability. Signed-off-by: Fabian Bläse <fabian@blaese.de>
fff-network: Remove obsolete and unnecessary sysctls
2021-04-19 19:02:39 +02:00 · 2021-04-19 19:02:27 +02:00
1 changed files with 20 additions and 42 deletions
--- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
+++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
@ -1,46 +1,24 @@
-net.ipv4.conf.default.arp_ignore=1
-net.ipv4.conf.all.arp_ignore=1
-net.ipv4.conf.all.forwarding=0
-net.ipv4.conf.all.send_redirects=0
-net.ipv4.tcp_ecn=0
-net.ipv4.tcp_fin_timeout=30
-net.ipv4.tcp_keepalive_time=120
-net.ipv4.tcp_syncookies=1
-net.core.netdev_max_backlog=30
-net.netfilter.nf_conntrack_checksum=0
-
-#Do not accept source routing
-net.ipv4.conf.all.accept_source_route=0
-net.ipv4.conf.all.accept_redirects=0
-net.ipv4.conf.default.accept_source_route=0
-net.ipv4.conf.default.accept_redirects=0
-net.ipv4.icmp_echo_ignore_broadcasts=1
-net.ipv4.icmp_ignore_bogus_error_responses=1
+# Disable IPv4 forwarding.
+# This has to be set first, because it resets some of the
+# net.ipv4.conf.* sysctls.
 net.ipv4.ip_forward=0

-net.ipv6.conf.default.accept_dad=0
-net.ipv6.conf.default.accept_ra=0
-net.ipv6.conf.default.accept_redirects=0
-net.ipv6.conf.all.accept_dad=0
-net.ipv6.conf.all.accept_ra=0
-net.ipv6.conf.all.accept_redirects=0
-
-# Learn Prefix Information in Router Advertisement
-net.ipv6.conf.default.accept_ra_pinfo = 0
-net.ipv6.conf.all.accept_ra_pinfo = 0
-
-# Setting controls whether the system will accept Hop Limit settings from a router advertisement
-net.ipv6.conf.default.accept_ra_defrtr = 0
-net.ipv6.conf.all.accept_ra_defrtr = 0
-
-#router advertisements can cause the system to assign a global unicast address to an interface
-net.ipv6.conf.default.autoconf = 0
-net.ipv6.conf.all.autoconf = 0
-
-#how many neighbor solicitations to send out per address?
-net.ipv6.conf.default.dad_transmits = 3
-net.ipv6.conf.all.dad_transmits = 3
-
-# Enable forwarding, otherwise not all local route are examined
+# Enable IPv6 forwarding, otherwise the fc00::/7 route sometimes is
+# not used if a default route is available, which breaks fc00::/7
+# inside Freifunk.
+# To ensure no packets are routed to different interfaces, fff-firewall
+# sets appropriate iptables rules
 net.ipv6.conf.all.forwarding=1
 net.ipv6.conf.default.forwarding=0
+
+# Do not accept Router Advertisements, so no public
+# addresses are assigned to interfaces, where we don't
+# want them. OpenWrts netifd overwrites this option for the WAN
+# interface, so IPv6 WAN connectivity is still possible.
+net.ipv6.conf.default.accept_ra=0
+net.ipv6.conf.all.accept_ra=0
+
+# Disable DAD, so fdff::1 on br-client does not get erroneously disabled.
+# This should be done on a per-interface basis in the future.
+net.ipv6.conf.default.accept_dad=0
+net.ipv6.conf.all.accept_dad=0